diff options
Diffstat (limited to 'meta/recipes-extended/shadow')
19 files changed, 211 insertions, 914 deletions
diff --git a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch deleted file mode 100644 index aac2d42b12..0000000000 --- a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 8cf3454d567f77233023be49a39a33e9f0836f89 Mon Sep 17 00:00:00 2001 -From: Scott Garman <scott.a.garman@intel.com> -Date: Thu, 14 Apr 2016 12:28:57 +0200 -Subject: [PATCH] Disable use of syslog for sysroot - -Disable use of syslog to prevent sysroot user and group additions from -writing entries to the host's syslog. This patch should only be used -with the shadow-native recipe. - -Upstream-Status: Inappropriate [disable feature] - -Signed-off-by: Scott Garman <scott.a.garman@intel.com> -Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> -Signed-off-by: Chen Qi <Qi.Chen@windriver.com> ---- - src/groupadd.c | 3 +++ - src/groupdel.c | 3 +++ - src/groupmems.c | 3 +++ - src/groupmod.c | 3 +++ - src/useradd.c | 3 +++ - src/userdel.c | 3 +++ - src/usermod.c | 3 +++ - 7 files changed, 21 insertions(+) - -diff --git a/src/groupadd.c b/src/groupadd.c -index 63e1c48..a596c49 100644 ---- a/src/groupadd.c -+++ b/src/groupadd.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <ctype.h> - #include <fcntl.h> - #include <getopt.h> -diff --git a/src/groupdel.c b/src/groupdel.c -index 70bed01..ababd81 100644 ---- a/src/groupdel.c -+++ b/src/groupdel.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <ctype.h> - #include <fcntl.h> - #include <grp.h> -diff --git a/src/groupmems.c b/src/groupmems.c -index fc91c8b..2842514 100644 ---- a/src/groupmems.c -+++ b/src/groupmems.c -@@ -32,6 +32,9 @@ - - #include <config.h> - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <fcntl.h> - #include <getopt.h> - #include <grp.h> -diff --git a/src/groupmod.c b/src/groupmod.c -index 72daf2c..8965f9d 100644 ---- a/src/groupmod.c -+++ b/src/groupmod.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <ctype.h> - #include <fcntl.h> - #include <getopt.h> -diff --git a/src/useradd.c b/src/useradd.c -index 3aaf45c..1ab9174 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <assert.h> - #include <ctype.h> - #include <errno.h> -diff --git a/src/userdel.c b/src/userdel.c -index c8de1d3..24d3ea9 100644 ---- a/src/userdel.c -+++ b/src/userdel.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <assert.h> - #include <errno.h> - #include <fcntl.h> -diff --git a/src/usermod.c b/src/usermod.c -index ccfbb99..24fb60d 100644 ---- a/src/usermod.c -+++ b/src/usermod.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <assert.h> - #include <ctype.h> - #include <errno.h> --- -2.11.0 - diff --git a/meta/recipes-extended/shadow/files/0001-Make-the-sp_lstchg-shadow-field-reproducible-re.-71.patch b/meta/recipes-extended/shadow/files/0001-Make-the-sp_lstchg-shadow-field-reproducible-re.-71.patch deleted file mode 100644 index de0ba3ebb4..0000000000 --- a/meta/recipes-extended/shadow/files/0001-Make-the-sp_lstchg-shadow-field-reproducible-re.-71.patch +++ /dev/null @@ -1,89 +0,0 @@ -From fe34a2a0e44bc80ff213bfd185046a5f10c94997 Mon Sep 17 00:00:00 2001 -From: Chris Lamb <chris@chris-lamb.co.uk> -Date: Wed, 2 Jan 2019 18:06:16 +0000 -Subject: [PATCH 1/2] Make the sp_lstchg shadow field reproducible (re. #71) - -From <https://github.com/shadow-maint/shadow/pull/71>: - -``` -The third field in the /etc/shadow file (sp_lstchg) contains the date of -the last password change expressed as the number of days since Jan 1, 1970. -As this is a relative time, creating a user today will result in: - -username:17238:0:99999:7::: -whilst creating the same user tomorrow will result in: - -username:17239:0:99999:7::: -This has an impact for the Reproducible Builds[0] project where we aim to -be independent of as many elements the build environment as possible, -including the current date. - -This patch changes the behaviour to use the SOURCE_DATE_EPOCH[1] -environment variable (instead of Jan 1, 1970) if valid. -``` - -This updated PR adds some missing calls to gettime (). This was originally -filed by Johannes Schauer in Debian as #917773 [2]. - -[0] https://reproducible-builds.org/ -[1] https://reproducible-builds.org/specs/source-date-epoch/ -[2] https://bugs.debian.org/917773 - -Upstream-Status: Backport -Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> ---- - libmisc/pwd2spwd.c | 3 +-- - src/pwck.c | 2 +- - src/pwconv.c | 2 +- - 3 files changed, 3 insertions(+), 4 deletions(-) - -diff --git a/libmisc/pwd2spwd.c b/libmisc/pwd2spwd.c -index c1b9b29ac873..6799dd50d490 100644 ---- a/libmisc/pwd2spwd.c -+++ b/libmisc/pwd2spwd.c -@@ -40,7 +40,6 @@ - #include "prototypes.h" - #include "defines.h" - #include <pwd.h> --extern time_t time (time_t *); - - /* - * pwd_to_spwd - create entries for new spwd structure -@@ -66,7 +65,7 @@ struct spwd *pwd_to_spwd (const struct passwd *pw) - */ - sp.sp_min = 0; - sp.sp_max = (10000L * DAY) / SCALE; -- sp.sp_lstchg = (long) time ((time_t *) 0) / SCALE; -+ sp.sp_lstchg = (long) gettime () / SCALE; - if (0 == sp.sp_lstchg) { - /* Better disable aging than requiring a password - * change */ -diff --git a/src/pwck.c b/src/pwck.c -index 0ffb711efb13..f70071b12500 100644 ---- a/src/pwck.c -+++ b/src/pwck.c -@@ -609,7 +609,7 @@ static void check_pw_file (int *errors, bool *changed) - sp.sp_inact = -1; - sp.sp_expire = -1; - sp.sp_flag = SHADOW_SP_FLAG_UNSET; -- sp.sp_lstchg = (long) time ((time_t *) 0) / SCALE; -+ sp.sp_lstchg = (long) gettime () / SCALE; - if (0 == sp.sp_lstchg) { - /* Better disable aging than - * requiring a password change -diff --git a/src/pwconv.c b/src/pwconv.c -index 9c69fa131d8e..f932f266c59c 100644 ---- a/src/pwconv.c -+++ b/src/pwconv.c -@@ -267,7 +267,7 @@ int main (int argc, char **argv) - spent.sp_flag = SHADOW_SP_FLAG_UNSET; - } - spent.sp_pwdp = pw->pw_passwd; -- spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE; -+ spent.sp_lstchg = (long) gettime () / SCALE; - if (0 == spent.sp_lstchg) { - /* Better disable aging than requiring a password - * change */ --- -2.17.1 - diff --git a/meta/recipes-extended/shadow/files/0001-configure.ac-fix-configure-error-with-dash.patch b/meta/recipes-extended/shadow/files/0001-configure.ac-fix-configure-error-with-dash.patch deleted file mode 100644 index a74cbb0c0e..0000000000 --- a/meta/recipes-extended/shadow/files/0001-configure.ac-fix-configure-error-with-dash.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3c52a84ff8775590e7e9da9c0d4408c23494305e Mon Sep 17 00:00:00 2001 -From: Yi Zhao <yi.zhao@windriver.com> -Date: Mon, 17 Jun 2019 15:36:34 +0800 -Subject: [PATCH] configure.ac: fix configure error with dash - -A configure error occurs when /bin/sh -> dash: - checking for is_selinux_enabled in -lselinux... yes - checking for semanage_connect in -lsemanage... yes - configure: 16322: test: yesyes: unexpected operator - -Use "=" instead of "==" since dash doesn't support this operator. - -Upstream-Status: Backport -[https://github.com/shadow-maint/shadow/commit/3c52a84ff8775590e7e9da9c0d4408c23494305e] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 6762556..1907afb 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -500,7 +500,7 @@ if test "$with_selinux" != "no"; then - AC_MSG_ERROR([libsemanage not found]) - fi - -- if test "$selinux_lib$semanage_lib" == "yesyes" ; then -+ if test "$selinux_lib$semanage_lib" = "yesyes" ; then - AC_DEFINE(WITH_SELINUX, 1, - [Build shadow with SELinux support]) - LIBSELINUX="-lselinux" --- -2.7.4 - diff --git a/meta/recipes-extended/shadow/files/0001-lib-copydir-copy_entry-use-temporary-stat-buffer.patch b/meta/recipes-extended/shadow/files/0001-lib-copydir-copy_entry-use-temporary-stat-buffer.patch new file mode 100644 index 0000000000..2e5503bfd4 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-lib-copydir-copy_entry-use-temporary-stat-buffer.patch @@ -0,0 +1,37 @@ +From af4b8cb780587aa736692a3baa76b60474f19c5d Mon Sep 17 00:00:00 2001 +From: Enrico Scholz <enrico.scholz@sigma-chemnitz.de> +Date: Mon, 18 Mar 2024 12:14:21 +0100 +Subject: [PATCH] lib/copydir:copy_entry(): use temporary stat buffer + +There are no guarantees that fstatat() does not clobber the stat +buffer on errors. + +Use a temporary buffer so that the following code sees correct +attributes of the source entry. + +Upstream-Status: Submitted [https://github.com/shadow-maint/shadow/pull/974] + +Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de> +--- + lib/copydir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/lib/copydir.c ++++ b/lib/copydir.c +@@ -400,6 +400,7 @@ static int copy_entry (const struct path + { + int err = 0; + struct stat sb; ++ struct stat tmp_sb; + struct link_name *lp; + struct timespec mt[2]; + +@@ -423,7 +424,7 @@ static int copy_entry (const struct path + * If the destination already exists do nothing. + * This is after the copy_dir above to still iterate into subdirectories. + */ +- if (fstatat(dst->dirfd, dst->name, &sb, AT_SYMLINK_NOFOLLOW) != -1) { ++ if (fstatat(dst->dirfd, dst->name, &tmp_sb, AT_SYMLINK_NOFOLLOW) != -1) { + return err; + } + diff --git a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch deleted file mode 100644 index faa6f68ebe..0000000000 --- a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch +++ /dev/null @@ -1,116 +0,0 @@ -Subject: [PATCH] useradd.c: create parent directories when necessary - -Upstream-Status: Inappropriate [OE specific] - -Signed-off-by: Chen Qi <Qi.Chen@windriver.com> ---- - src/useradd.c | 80 +++++++++++++++++++++++++++++++++++++++-------------------- - 1 file changed, 53 insertions(+), 27 deletions(-) - -diff --git a/src/useradd.c b/src/useradd.c -index 00a3c30..9ecbb58 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -2021,6 +2021,35 @@ static void usr_update (void) - } - - /* -+ * mkdir_p - create directories, including parent directories when needed -+ * -+ * similar to `mkdir -p' -+ */ -+void mkdir_p(const char *path) { -+ int len = strlen(path); -+ char newdir[len + 1]; -+ mode_t mode = 0755; -+ int i = 0; -+ -+ if (path[i] == '\0') { -+ return; -+ } -+ -+ /* skip the leading '/' */ -+ i++; -+ -+ while(path[i] != '\0') { -+ if (path[i] == '/') { -+ strncpy(newdir, path, i); -+ newdir[i] = '\0'; -+ mkdir(newdir, mode); -+ } -+ i++; -+ } -+ mkdir(path, mode); -+} -+ -+/* - * create_home - create the user's home directory - * - * create_home() creates the user's home directory if it does not -@@ -2038,39 +2067,36 @@ static void create_home (void) - fail_exit (E_HOMEDIR); - } - #endif -- /* XXX - create missing parent directories. --marekm */ -- if (mkdir (prefix_user_home, 0) != 0) { -- fprintf (stderr, -- _("%s: cannot create directory %s\n"), -- Prog, prefix_user_home); -+ mkdir_p(user_home); -+ } -+ if (access (prefix_user_home, F_OK) != 0) { - #ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "adding home directory", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_FAILURE); -+ audit_logger (AUDIT_ADD_USER, Prog, -+ "adding home directory", -+ user_name, (unsigned int) user_id, -+ SHADOW_AUDIT_FAILURE); - #endif -- fail_exit (E_HOMEDIR); -- } -- (void) chown (prefix_user_home, user_id, user_gid); -- chmod (prefix_user_home, -- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); -- home_added = true; -+ fail_exit (E_HOMEDIR); -+ } -+ (void) chown (prefix_user_home, user_id, user_gid); -+ chmod (prefix_user_home, -+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); -+ home_added = true; - #ifdef WITH_AUDIT -- audit_logger (AUDIT_ADD_USER, Prog, -- "adding home directory", -- user_name, (unsigned int) user_id, -- SHADOW_AUDIT_SUCCESS); -+ audit_logger (AUDIT_ADD_USER, Prog, -+ "adding home directory", -+ user_name, (unsigned int) user_id, -+ SHADOW_AUDIT_SUCCESS); - #endif - #ifdef WITH_SELINUX -- /* Reset SELinux to create files with default contexts */ -- if (reset_selinux_file_context () != 0) { -- fprintf (stderr, -- _("%s: cannot reset SELinux file creation context\n"), -- Prog); -- fail_exit (E_HOMEDIR); -- } --#endif -+ /* Reset SELinux to create files with default contexts */ -+ if (reset_selinux_file_context () != 0) { -+ fprintf (stderr, -+ _("%s: cannot reset SELinux file creation context\n"), -+ Prog); -+ fail_exit (E_HOMEDIR); - } -+#endif - } - - /* --- -2.11.0 - diff --git a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch deleted file mode 100644 index fa7eb07aa5..0000000000 --- a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch +++ /dev/null @@ -1,300 +0,0 @@ -Subject: [PATCH] Allow for setting password in clear text - -Upstream-Status: Inappropriate [OE specific] - -Signed-off-by: Chen Qi <Qi.Chen@windriver.com> ---- - src/Makefile.am | 8 ++++---- - src/groupadd.c | 20 +++++++++++++++----- - src/groupmod.c | 20 +++++++++++++++----- - src/useradd.c | 21 +++++++++++++++------ - src/usermod.c | 20 +++++++++++++++----- - 5 files changed, 64 insertions(+), 25 deletions(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index 3c98a8d..b8093d5 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -93,10 +93,10 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) - chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) - chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) - gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) --groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -+groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) - groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) - groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) --groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -+groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) - grpck_LDADD = $(LDADD) $(LIBSELINUX) - grpconv_LDADD = $(LDADD) $(LIBSELINUX) - grpunconv_LDADD = $(LDADD) $(LIBSELINUX) -@@ -117,9 +117,9 @@ su_SOURCES = \ - suauth.c - su_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) - sulogin_LDADD = $(LDADD) $(LIBCRYPT) --useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) -+useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT) - userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) --usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) -+usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR) $(LIBCRYPT) - vipw_LDADD = $(LDADD) $(LIBSELINUX) - - install-am: all-am -diff --git a/src/groupadd.c b/src/groupadd.c -index b57006c..63e1c48 100644 ---- a/src/groupadd.c -+++ b/src/groupadd.c -@@ -123,9 +123,10 @@ static /*@noreturn@*/void usage (int status) - (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n" - " (non-unique) GID\n"), usageout); - (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout); -+ (void) fputs (_(" -P, --clear-password PASSWORD use this clear password for the new group\n"), usageout); - (void) fputs (_(" -r, --system create a system account\n"), usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -- (void) fputs (_(" -P, --prefix PREFIX_DIR directory prefix\n"), usageout); -+ (void) fputs (_(" -A, --prefix PREFIX_DIR directory prefix\n"), usageout); - (void) fputs ("\n", usageout); - exit (status); - } -@@ -387,13 +388,14 @@ static void process_flags (int argc, char **argv) - {"key", required_argument, NULL, 'K'}, - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, -+ {"clear-password", required_argument, NULL, 'P'}, - {"system", no_argument, NULL, 'r'}, - {"root", required_argument, NULL, 'R'}, -- {"prefix", required_argument, NULL, 'P'}, -+ {"prefix", required_argument, NULL, 'A'}, - {NULL, 0, NULL, '\0'} - }; - -- while ((c = getopt_long (argc, argv, "fg:hK:op:rR:P:", -+ while ((c = getopt_long (argc, argv, "fg:hK:op:P:rR:A:", - long_options, NULL)) != -1) { - switch (c) { - case 'f': -@@ -445,12 +447,20 @@ static void process_flags (int argc, char **argv) - pflg = true; - group_passwd = optarg; - break; -+ case 'P': -+ pflg = true; -+ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); -+ break; - case 'r': - rflg = true; - break; - case 'R': /* no-op, handled in process_root_flag () */ - break; -- case 'P': /* no-op, handled in process_prefix_flag () */ -+ case 'A': /* no-op, handled in process_prefix_flag () */ -+ fprintf (stderr, -+ _("%s: -A is deliberately not supported \n"), -+ Prog); -+ exit (E_BAD_ARG); - break; - default: - usage (E_USAGE); -@@ -584,7 +594,7 @@ int main (int argc, char **argv) - (void) textdomain (PACKAGE); - - process_root_flag ("-R", argc, argv); -- prefix = process_prefix_flag ("-P", argc, argv); -+ prefix = process_prefix_flag ("-A", argc, argv); - - OPENLOG ("groupadd"); - #ifdef WITH_AUDIT -diff --git a/src/groupmod.c b/src/groupmod.c -index b293b98..72daf2c 100644 ---- a/src/groupmod.c -+++ b/src/groupmod.c -@@ -134,8 +134,9 @@ static void usage (int status) - (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout); - (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n" - " PASSWORD\n"), usageout); -+ (void) fputs (_(" -P, --clear-password PASSWORD change the password to this clear PASSWORD\n"), usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); -+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); - (void) fputs ("\n", usageout); - exit (status); - } -@@ -383,11 +384,12 @@ static void process_flags (int argc, char **argv) - {"new-name", required_argument, NULL, 'n'}, - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, -+ {"clear-password", required_argument, NULL, 'P'}, - {"root", required_argument, NULL, 'R'}, -- {"prefix", required_argument, NULL, 'P'}, -+ {"prefix", required_argument, NULL, 'A'}, - {NULL, 0, NULL, '\0'} - }; -- while ((c = getopt_long (argc, argv, "g:hn:op:R:P:", -+ while ((c = getopt_long (argc, argv, "g:hn:op:P:R:A:", - long_options, NULL)) != -1) { - switch (c) { - case 'g': -@@ -414,9 +416,17 @@ static void process_flags (int argc, char **argv) - group_passwd = optarg; - pflg = true; - break; -+ case 'P': -+ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); -+ pflg = true; -+ break; - case 'R': /* no-op, handled in process_root_flag () */ - break; -- case 'P': /* no-op, handled in process_prefix_flag () */ -+ case 'A': /* no-op, handled in process_prefix_flag () */ -+ fprintf (stderr, -+ _("%s: -A is deliberately not supported \n"), -+ Prog); -+ exit (E_BAD_ARG); - break; - default: - usage (E_USAGE); -@@ -757,7 +767,7 @@ int main (int argc, char **argv) - (void) textdomain (PACKAGE); - - process_root_flag ("-R", argc, argv); -- prefix = process_prefix_flag ("-P", argc, argv); -+ prefix = process_prefix_flag ("-A", argc, argv); - - OPENLOG ("groupmod"); - #ifdef WITH_AUDIT -diff --git a/src/useradd.c b/src/useradd.c -index c74e491..7214e72 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -829,9 +829,10 @@ static void usage (int status) - (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n" - " (non-unique) UID\n"), usageout); - (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout); -+ (void) fputs (_(" -P, --clear-password PASSWORD clear password of the new account\n"), usageout); - (void) fputs (_(" -r, --system create a system account\n"), usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); -+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); - (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), usageout); - (void) fputs (_(" -u, --uid UID user ID of the new account\n"), usageout); - (void) fputs (_(" -U, --user-group create a group with the same name as the user\n"), usageout); -@@ -1104,9 +1105,10 @@ static void process_flags (int argc, char **argv) - {"no-user-group", no_argument, NULL, 'N'}, - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, -+ {"clear-password", required_argument, NULL, 'P'}, - {"system", no_argument, NULL, 'r'}, - {"root", required_argument, NULL, 'R'}, -- {"prefix", required_argument, NULL, 'P'}, -+ {"prefix", required_argument, NULL, 'A'}, - {"shell", required_argument, NULL, 's'}, - {"uid", required_argument, NULL, 'u'}, - {"user-group", no_argument, NULL, 'U'}, -@@ -1117,9 +1119,9 @@ static void process_flags (int argc, char **argv) - }; - while ((c = getopt_long (argc, argv, - #ifdef WITH_SELINUX -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:", -+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:A:s:u:UZ:", - #else /* !WITH_SELINUX */ -- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U", -+ "b:c:d:De:f:g:G:hk:K:lmMNop:P:rR:A:s:u:U", - #endif /* !WITH_SELINUX */ - long_options, NULL)) != -1) { - switch (c) { -@@ -1285,12 +1287,19 @@ static void process_flags (int argc, char **argv) - } - user_pass = optarg; - break; -+ case 'P': /* set clear text password */ -+ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); -+ break; - case 'r': - rflg = true; - break; - case 'R': /* no-op, handled in process_root_flag () */ - break; -- case 'P': /* no-op, handled in process_prefix_flag () */ -+ case 'A': /* no-op, handled in process_prefix_flag () */ -+ fprintf (stderr, -+ _("%s: -A is deliberately not supported \n"), -+ Prog); -+ exit (E_BAD_ARG); - break; - case 's': - if ( ( !VALID (optarg) ) -@@ -2148,7 +2157,7 @@ int main (int argc, char **argv) - - process_root_flag ("-R", argc, argv); - -- prefix = process_prefix_flag("-P", argc, argv); -+ prefix = process_prefix_flag("-A", argc, argv); - - OPENLOG ("useradd"); - #ifdef WITH_AUDIT -diff --git a/src/usermod.c b/src/usermod.c -index e571426..ccfbb99 100644 ---- a/src/usermod.c -+++ b/src/usermod.c -@@ -424,8 +424,9 @@ static /*@noreturn@*/void usage (int status) - " new location (use only with -d)\n"), usageout); - (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout); - (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout); -+ (void) fputs (_(" -P, --clear-password PASSWORD use clear password for the new password\n"), usageout); - (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -- (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); -+ (void) fputs (_(" -A, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout); - (void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout); - (void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout); - (void) fputs (_(" -U, --unlock unlock the user account\n"), usageout); -@@ -1002,8 +1003,9 @@ static void process_flags (int argc, char **argv) - {"move-home", no_argument, NULL, 'm'}, - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, -+ {"clear-password", required_argument, NULL, 'P'}, - {"root", required_argument, NULL, 'R'}, -- {"prefix", required_argument, NULL, 'P'}, -+ {"prefix", required_argument, NULL, 'A'}, - {"shell", required_argument, NULL, 's'}, - {"uid", required_argument, NULL, 'u'}, - {"unlock", no_argument, NULL, 'U'}, -@@ -1019,7 +1021,7 @@ static void process_flags (int argc, char **argv) - {NULL, 0, NULL, '\0'} - }; - while ((c = getopt_long (argc, argv, -- "ac:d:e:f:g:G:hl:Lmop:R:s:u:UP:" -+ "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:UA:" - #ifdef ENABLE_SUBIDS - "v:w:V:W:" - #endif /* ENABLE_SUBIDS */ -@@ -1119,9 +1121,17 @@ static void process_flags (int argc, char **argv) - user_pass = optarg; - pflg = true; - break; -+ case 'P': -+ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL)); -+ pflg = true; -+ break; - case 'R': /* no-op, handled in process_root_flag () */ - break; -- case 'P': /* no-op, handled in process_prefix_flag () */ -+ case 'A': /* no-op, handled in process_prefix_flag () */ -+ fprintf (stderr, -+ _("%s: -A is deliberately not supported \n"), -+ Prog); -+ exit (E_BAD_ARG); - break; - case 's': - if (!VALID (optarg)) { -@@ -2098,7 +2108,7 @@ int main (int argc, char **argv) - (void) textdomain (PACKAGE); - - process_root_flag ("-R", argc, argv); -- prefix = process_prefix_flag ("-P", argc, argv); -+ prefix = process_prefix_flag ("-A", argc, argv); - - OPENLOG ("usermod"); - #ifdef WITH_AUDIT --- -2.11.0 - diff --git a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch index 4fa3d184ed..cd99aad135 100644 --- a/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch +++ b/meta/recipes-extended/shadow/files/commonio.c-fix-unexpected-open-failure-in-chroot-env.patch @@ -1,3 +1,8 @@ +From f512071dd3a4c29d4bf048c5a89c4ba9160e37b1 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Thu, 17 Jul 2014 15:53:34 +0800 +Subject: [PATCH] commonio.c-fix-unexpected-open-failure-in-chroot-env + Upstream-Status: Inappropriate [OE specific] commonio.c: fix unexpected open failure in chroot environment @@ -11,36 +16,33 @@ the codes. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> --- - lib/commonio.c | 16 ++++++++++++---- + lib/commonio.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/lib/commonio.c b/lib/commonio.c -index cc536bf..51cafd9 100644 +index 01a26c9..82b2868 100644 --- a/lib/commonio.c +++ b/lib/commonio.c -@@ -613,10 +613,18 @@ int commonio_open (struct commonio_db *db, int mode) +@@ -601,10 +601,18 @@ int commonio_open (struct commonio_db *db, int mode) db->cursor = NULL; db->changed = false; - fd = open (db->filename, - (db->readonly ? O_RDONLY : O_RDWR) -- | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); +- | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW | O_CLOEXEC); - saved_errno = errno; + if (db->readonly) { + fd = open (db->filename, + (true ? O_RDONLY : O_RDWR) -+ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW | O_CLOEXEC); + saved_errno = errno; + } else { + fd = open (db->filename, + (false ? O_RDONLY : O_RDWR) -+ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW); ++ | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW| O_CLOEXEC); + saved_errno = errno; + } + db->fp = NULL; if (fd >= 0) { #ifdef WITH_TCB --- -1.7.9.5 - diff --git a/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot b/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot index 8a68dd341a..09df77d2e7 100644 --- a/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot +++ b/meta/recipes-extended/shadow/files/login.defs_shadow-sysroot @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: BSD-3-Clause OR Artistic-1.0 # # /etc/login.defs - Configuration control definitions for the shadow package. # diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login index b340058539..d39e09b1ea 100644 --- a/meta/recipes-extended/shadow/files/pam.d/login +++ b/meta/recipes-extended/shadow/files/pam.d/login @@ -57,10 +57,6 @@ auth optional pam_group.so # (Replaces the use of /etc/limits in old login) session required pam_limits.so -# Prints the last login info upon succesful login -# (Replaces the `LASTLOG_ENAB' option from login.defs) -session optional pam_lastlog.so - # Prints the motd upon succesful login # (Replaces the `MOTD_FILE' option in login.defs) session optional pam_motd.so diff --git a/meta/recipes-extended/shadow/files/securetty b/meta/recipes-extended/shadow/files/securetty index 2be341a216..820728faa6 100644 --- a/meta/recipes-extended/shadow/files/securetty +++ b/meta/recipes-extended/shadow/files/securetty @@ -7,6 +7,7 @@ ttyS0 ttyS1 ttyS2 ttyS3 +ttyS4 # ARM AMBA SoCs ttyAM0 diff --git a/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch b/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch deleted file mode 100644 index a7bb0a9290..0000000000 --- a/meta/recipes-extended/shadow/files/shadow-4.1.3-dots-in-usernames.patch +++ /dev/null @@ -1,27 +0,0 @@ -# commit message copied from openembedded: -# commit 246c80637b135f3a113d319b163422f98174ee6c -# Author: Khem Raj <raj.khem@gmail.com> -# Date: Wed Jun 9 13:37:03 2010 -0700 -# -# shadow-4.1.4.2: Add patches to support dots in login id. -# -# Signed-off-by: Khem Raj <raj.khem@gmail.com> -# -# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11 - -Upstream-Status: Pending - -Signed-off-by: Scott Garman <scott.a.garman@intel.com> - -Index: shadow-4.1.4.2/libmisc/chkname.c -=================================================================== ---- shadow-4.1.4.2.orig/libmisc/chkname.c 2009-04-28 12:14:04.000000000 -0700 -+++ shadow-4.1.4.2/libmisc/chkname.c 2010-06-03 17:43:20.638973857 -0700 -@@ -61,6 +61,7 @@ static bool is_valid_name (const char *n - ( ('0' <= *name) && ('9' >= *name) ) || - ('_' == *name) || - ('-' == *name) || -+ ('.' == *name) || - ( ('$' == *name) && ('\0' == *(name + 1)) ) - )) { - return false; diff --git a/meta/recipes-extended/shadow/files/shadow-relaxed-usernames.patch b/meta/recipes-extended/shadow/files/shadow-relaxed-usernames.patch deleted file mode 100644 index 1af04d5fe8..0000000000 --- a/meta/recipes-extended/shadow/files/shadow-relaxed-usernames.patch +++ /dev/null @@ -1,100 +0,0 @@ - -The groupadd from shadow does not allow upper case group names, the -same is true for the upstream shadow. But distributions like -Debian/Ubuntu/CentOS has their own way to cope with this problem, -this patch is picked up from CentOS release 7.0 to relax the usernames -restrictions to allow the upper case group names, and the relaxation is -POSIX compliant because POSIX indicate that usernames are composed of -characters from the portable filename character set [A-Za-z0-9._-]. - -Upstream-Status: Pending - -Signed-off-by: Shan Hai <shan.hai@windriver.com> - -diff -urpN a/libmisc/chkname.c b/libmisc/chkname.c -index 5089112..f40a0da 100644 ---- a/libmisc/chkname.c -+++ b/libmisc/chkname.c -@@ -49,21 +49,28 @@ - static bool is_valid_name (const char *name) - { - /* -- * User/group names must match [a-z_][a-z0-9_-]*[$] -- */ -- if (('\0' == *name) || -- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { -+ * User/group names must match gnu e-regex: -+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]? -+ * -+ * as a non-POSIX, extension, allow "$" as the last char for -+ * sake of Samba 3.x "add machine script" -+ */ -+ if ( ('\0' == *name) || -+ !((*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') -+ )) { - return false; - } - - while ('\0' != *++name) { -- if (!(( ('a' <= *name) && ('z' >= *name) ) || -- ( ('0' <= *name) && ('9' >= *name) ) || -- ('_' == *name) || -- ('-' == *name) || -- ('.' == *name) || -- ( ('$' == *name) && ('\0' == *(name + 1)) ) -- )) { -+ if (!( (*name >= 'a' && *name <= 'z') || -+ (*name >= 'A' && *name <= 'Z') || -+ (*name >= '0' && *name <= '9') || -+ (*name == '_') || (*name == '.') || (*name == '-') || -+ (*name == '$' && *(name + 1) == '\0') -+ )) { - return false; - } - } -diff -urpN a/man/groupadd.8.xml b/man/groupadd.8.xml -index 230fd0c..94f7807 100644 ---- a/man/groupadd.8.xml -+++ b/man/groupadd.8.xml -@@ -222,12 +222,6 @@ - <refsect1 id='caveats'> - <title>CAVEATS</title> - <para> -- Groupnames must start with a lower case letter or an underscore, -- followed by lower case letters, digits, underscores, or dashes. -- They can end with a dollar sign. -- In regular expression terms: [a-z_][a-z0-9_-]*[$]? -- </para> -- <para> - Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long. - </para> - <para> -diff -urpN a/man/useradd.8.xml b/man/useradd.8.xml -index 5dec989..fe623b9 100644 ---- a/man/useradd.8.xml -+++ b/man/useradd.8.xml -@@ -336,7 +336,7 @@ - </term> - <listitem> - <para> -- Do no create the user's home directory, even if the system -+ Do not create the user's home directory, even if the system - wide setting from <filename>/etc/login.defs</filename> - (<option>CREATE_HOME</option>) is set to - <replaceable>yes</replaceable>. -@@ -607,12 +607,6 @@ - </para> - - <para> -- Usernames must start with a lower case letter or an underscore, -- followed by lower case letters, digits, underscores, or dashes. -- They can end with a dollar sign. -- In regular expression terms: [a-z_][a-z0-9_-]*[$]? -- </para> -- <para> - Usernames may only be up to 32 characters long. - </para> - </refsect1> diff --git a/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch b/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch index 15f8044fa2..1eacb8a53f 100644 --- a/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch +++ b/meta/recipes-extended/shadow/files/shadow-update-pam-conf.patch @@ -1,88 +1,115 @@ +From 38882ab288fd4d2cc2e45dff222ae3412c8fe357 Mon Sep 17 00:00:00 2001 +From: Kang Kai <kai.kang@windriver.com> +Date: Wed, 20 Jul 2011 19:18:14 +0800 +Subject: [PATCH] shadow: update pam related configure files + The system-auth in the configure files is from Fedora which put all the 4 pam type rules in one file. In yocto it obey the way with Debian/Ubuntu, and the names are common-auth, common-account, common-password and common-session. So update them with oe way. -Upstream-Status: Pending +See meta/recipes-extended/pam/libpam/pam.d/common-password + +Upstream-Status: Inappropriate [oe-core specific] Signed-off-by: Kang Kai <kai.kang@windriver.com> +--- + etc/pam.d/chage | 2 +- + etc/pam.d/chgpasswd | 2 +- + etc/pam.d/groupadd | 2 +- + etc/pam.d/groupdel | 2 +- + etc/pam.d/groupmems | 2 +- + etc/pam.d/groupmod | 2 +- + etc/pam.d/useradd | 2 +- + etc/pam.d/userdel | 2 +- + etc/pam.d/usermod | 2 +- + 9 files changed, 9 insertions(+), 9 deletions(-) -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/chage shadow-4.1.4.3/etc/pam.d/chage ---- shadow-4.1.4.3/etc/pam.d.orig/chage 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/chage 2011-07-20 19:03:08.964844958 +0800 +diff --git a/etc/pam.d/chage b/etc/pam.d/chage +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/chage ++++ b/etc/pam.d/chage @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/chgpasswd shadow-4.1.4.3/etc/pam.d/chgpasswd ---- shadow-4.1.4.3/etc/pam.d.orig/chgpasswd 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/chgpasswd 2011-07-20 19:03:26.544844958 +0800 +diff --git a/etc/pam.d/chgpasswd b/etc/pam.d/chgpasswd +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/chgpasswd ++++ b/etc/pam.d/chgpasswd @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupadd shadow-4.1.4.3/etc/pam.d/groupadd ---- shadow-4.1.4.3/etc/pam.d.orig/groupadd 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/groupadd 2011-07-20 19:04:08.124844958 +0800 +diff --git a/etc/pam.d/groupadd b/etc/pam.d/groupadd +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/groupadd ++++ b/etc/pam.d/groupadd @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupdel shadow-4.1.4.3/etc/pam.d/groupdel ---- shadow-4.1.4.3/etc/pam.d.orig/groupdel 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/groupdel 2011-07-20 19:04:26.114844958 +0800 +diff --git a/etc/pam.d/groupdel b/etc/pam.d/groupdel +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/groupdel ++++ b/etc/pam.d/groupdel @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupmems shadow-4.1.4.3/etc/pam.d/groupmems ---- shadow-4.1.4.3/etc/pam.d.orig/groupmems 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/groupmems 2011-07-20 19:04:35.074844958 +0800 +diff --git a/etc/pam.d/groupmems b/etc/pam.d/groupmems +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/groupmems ++++ b/etc/pam.d/groupmems @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/groupmod shadow-4.1.4.3/etc/pam.d/groupmod ---- shadow-4.1.4.3/etc/pam.d.orig/groupmod 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/groupmod 2011-07-20 19:04:44.864844958 +0800 +diff --git a/etc/pam.d/groupmod b/etc/pam.d/groupmod +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/groupmod ++++ b/etc/pam.d/groupmod @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/useradd shadow-4.1.4.3/etc/pam.d/useradd ---- shadow-4.1.4.3/etc/pam.d.orig/useradd 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/useradd 2011-07-20 19:07:26.244844958 +0800 +diff --git a/etc/pam.d/useradd b/etc/pam.d/useradd +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/useradd ++++ b/etc/pam.d/useradd @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/userdel shadow-4.1.4.3/etc/pam.d/userdel ---- shadow-4.1.4.3/etc/pam.d.orig/userdel 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/userdel 2011-07-20 19:07:35.734844958 +0800 +diff --git a/etc/pam.d/userdel b/etc/pam.d/userdel +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/userdel ++++ b/etc/pam.d/userdel @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so -password include system-auth +password include common-password -diff -Nur shadow-4.1.4.3/etc/pam.d.orig/usermod shadow-4.1.4.3/etc/pam.d/usermod ---- shadow-4.1.4.3/etc/pam.d.orig/usermod 2011-07-20 19:02:27.384844958 +0800 -+++ shadow-4.1.4.3/etc/pam.d/usermod 2011-07-20 19:07:42.024844958 +0800 +diff --git a/etc/pam.d/usermod b/etc/pam.d/usermod +index 8f49f5c..b1f365d 100644 +--- a/etc/pam.d/usermod ++++ b/etc/pam.d/usermod @@ -1,4 +1,4 @@ #%PAM-1.0 auth sufficient pam_rootok.so diff --git a/meta/recipes-extended/shadow/files/useradd b/meta/recipes-extended/shadow/files/useradd new file mode 100644 index 0000000000..782aeef418 --- /dev/null +++ b/meta/recipes-extended/shadow/files/useradd @@ -0,0 +1,8 @@ +# useradd defaults file +GROUP=100 +HOME=/home +INACTIVE=-1 +EXPIRE= +SHELL=/bin/sh +SKEL=/etc/skel +CREATE_MAIL_SPOOL=no diff --git a/meta/recipes-extended/shadow/shadow-securetty_4.6.bb b/meta/recipes-extended/shadow/shadow-securetty_4.6.bb index c78f888cf4..85c04b6af1 100644 --- a/meta/recipes-extended/shadow/shadow-securetty_4.6.bb +++ b/meta/recipes-extended/shadow/shadow-securetty_4.6.bb @@ -5,7 +5,6 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 INHIBIT_DEFAULT_DEPS = "1" -PR = "r3" SRC_URI = "file://securetty" @@ -18,7 +17,7 @@ do_install () { # Ensure we add a suitable securetty file to the package that has # most common embedded TTYs defined. install -d ${D}${sysconfdir} - install -m 0400 ${WORKDIR}/securetty ${D}${sysconfdir}/securetty + install -m 0400 ${S}/securetty ${D}${sysconfdir}/securetty if [ ! -z "${SERIAL_CONSOLES}" ]; then # Our SERIAL_CONSOLES contains a baud rate and sometimes extra # options as well. The following pearl :) takes that and converts diff --git a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb index ef014628f6..00ab58b38c 100644 --- a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb +++ b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb @@ -1,22 +1,18 @@ SUMMARY = "Shadow utils requirements for useradd.bbclass" -HOMEPAGE = "http://pkg-shadow.alioth.debian.org" -BUGTRACKER = "https://alioth.debian.org/tracker/?group_id=30580" +HOMEPAGE = "http://github.com/shadow-maint/shadow" +BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" SECTION = "base utils" -LICENSE = "BSD | Artistic-1.0" -LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5" +LICENSE = "BSD-3-Clause | Artistic-1.0" +LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;endline=1;md5=ceddfb61608e4db87012499555184aed" DEPENDS = "base-passwd" -PR = "r3" # The sole purpose of this recipe is to provide the /etc/login.defs # file for the target sysroot - needed so the shadow-native utilities # can add custom users/groups for recipes that use inherit useradd. SRC_URI = "file://login.defs_shadow-sysroot" -SRC_URI[md5sum] = "b8608d8294ac88974f27b20f991c0e79" -SRC_URI[sha256sum] = "633f5bb4ea0c88c55f3642c97f9d25cbef74f82e0b4cf8d54e7ad6f9f9caa778" - S = "${WORKDIR}" do_install() { @@ -27,6 +23,8 @@ do_install() { SYSROOT_DIRS += "${sysconfdir}" # don't create any packages -# otherwise: dbus-dev depends on shadow-sysroot-dev which depends on shadow-sysroot +# otherwise: dbus-dev depends on shadow-sysroot-dev which depends on shadow-sysroot # and this has another copy of /etc/login.defs already provided by shadow PACKAGES = "" + +inherit nopackages diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 7f8ee78717..25930b64c1 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -1,39 +1,31 @@ SUMMARY = "Tools to change and administer password and group data" -HOMEPAGE = "http://pkg-shadow.alioth.debian.org" -BUGTRACKER = "https://alioth.debian.org/tracker/?group_id=30580" +HOMEPAGE = "http://github.com/shadow-maint/shadow" +DESCRIPTION = "${SUMMARY}" +BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" SECTION = "base/utils" -LICENSE = "BSD | Artistic-1.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \ - file://src/passwd.c;beginline=2;endline=30;md5=5720ff729a6ff39ecc9f64555d75f4af" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://COPYING;md5=c9a450b7be84eac23e6353efecb60b5b \ + file://src/passwd.c;beginline=2;endline=7;md5=67bcf314687820b2f010d4863fce3fc5 \ + " DEPENDS = "virtual/crypt" -UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases" -SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.tar.gz \ - file://shadow-4.1.3-dots-in-usernames.patch \ - file://0001-Make-the-sp_lstchg-shadow-field-reproducible-re.-71.patch \ - file://0001-configure.ac-fix-configure-error-with-dash.patch \ +GITHUB_BASE_URI = "https://github.com/shadow-maint/shadow/releases" +SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.gz \ + file://0001-lib-copydir-copy_entry-use-temporary-stat-buffer.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://useradd \ " -SRC_URI_append_class-target = " \ +SRC_URI:append:class-target = " \ file://login_defs_pam.sed \ file://shadow-update-pam-conf.patch \ - file://shadow-relaxed-usernames.patch \ " -SRC_URI_append_class-native = " \ - file://0001-Disable-use-of-syslog-for-sysroot.patch \ - file://allow-for-setting-password-in-clear-text.patch \ +SRC_URI:append:class-native = " \ file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \ - file://0001-useradd.c-create-parent-directories-when-necessary.patch \ " -SRC_URI_append_class-nativesdk = " \ - file://0001-Disable-use-of-syslog-for-sysroot.patch \ - " - -SRC_URI[md5sum] = "36feb15665338ae3de414f2a88e434db" -SRC_URI[sha256sum] = "4668f99bd087399c4a586084dc3b046b75f560720d83e92fd23bf7a89dda4d31" +SRC_URI[sha256sum] = "377fe0d7c1a0aa5e3514c08fdf5ddc70c9dcbb391678c2134445ed97326bcc26" # Additional Policy files for PAM PAM_SRC_URI = "file://pam.d/chfn \ @@ -44,22 +36,23 @@ PAM_SRC_URI = "file://pam.d/chfn \ file://pam.d/passwd \ file://pam.d/su" -inherit autotools gettext +inherit autotools gettext github-releases pkgconfig export CONFIG_SHELL="/bin/sh" -EXTRA_OECONF += "--without-audit \ - --without-libcrack \ - --without-selinux \ +EXTRA_OECONF += " \ --with-group-name-max-length=24 \ --enable-subordinate-ids=yes \ + --without-sssd \ ${NSCDOPT}" +CFLAGS:append:libc-musl = " -DLIBBSD_OVERLAY" + NSCDOPT = "" -NSCDOPT_class-native = "--without-nscd" -NSCDOPT_class-nativesdk = "--without-nscd" -NSCDOPT_libc-glibc = "--with-nscd" - +NSCDOPT:class-native = "--without-nscd" +NSCDOPT:class-nativesdk = "--without-nscd" +NSCDOPT:libc-glibc = "--with-nscd" + PAM_PLUGINS = "libpam-runtime \ pam-plugin-faildelay \ pam-plugin-securetty \ @@ -67,7 +60,6 @@ PAM_PLUGINS = "libpam-runtime \ pam-plugin-env \ pam-plugin-group \ pam-plugin-limits \ - pam-plugin-lastlog \ pam-plugin-motd \ pam-plugin-mail \ pam-plugin-shells \ @@ -75,17 +67,21 @@ PAM_PLUGINS = "libpam-runtime \ PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}" -PACKAGECONFIG_class-native ??= "${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}" -PACKAGECONFIG_class-nativesdk = "" +PACKAGECONFIG:class-native ??= "${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)} libbsd" +PACKAGECONFIG:class-nativesdk = "" PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}" PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr" PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl" +PACKAGECONFIG[audit] = "--with-audit,--without-audit,audit" +PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux libsemanage" +PACKAGECONFIG[libbsd] = "--with-libbsd,--without-libbsd,libbsd" +PACKAGECONFIG[logind] = "--enable-logind,--disable-logind,systemd" -RDEPENDS_${PN} = "shadow-securetty \ +RDEPENDS:${PN} = "shadow-securetty \ base-passwd \ util-linux-sulogin" -RDEPENDS_${PN}_class-native = "" -RDEPENDS_${PN}_class-nativesdk = "" +RDEPENDS:${PN}:class-native = "" +RDEPENDS:${PN}:class-nativesdk = "" do_install() { oe_runmake DESTDIR="${D}" sbindir="${base_sbindir}" usbindir="${sbindir}" install @@ -114,29 +110,25 @@ do_install() { # Use proper encryption for passwords sed -i 's/^#ENCRYPT_METHOD.*$/ENCRYPT_METHOD SHA512/' ${D}${sysconfdir}/login.defs - # Now we don't have a mail system. Disable mail creation for now. - sed -i 's:/bin/bash:/bin/sh:g' ${D}${sysconfdir}/default/useradd - sed -i '/^CREATE_MAIL_SPOOL/ s:^:#:' ${D}${sysconfdir}/default/useradd - - # Use users group by default - sed -i 's,^GROUP=1000,GROUP=100,g' ${D}${sysconfdir}/default/useradd + install -d ${D}${sysconfdir}/default + install -m 0644 ${UNPACKDIR}/useradd ${D}${sysconfdir}/default } -do_install_append() { +do_install:append() { # Ensure that the image has as a /var/spool/mail dir so shadow can # put mailboxes there if the user reconfigures shadow to its # defaults (see sed below). install -m 0775 -d ${D}${localstatedir}/spool/mail chown root:mail ${D}${localstatedir}/spool/mail - if [ -e ${WORKDIR}/pam.d ]; then + if [ -e ${UNPACKDIR}/pam.d ]; then install -d ${D}${sysconfdir}/pam.d/ - install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ + install -m 0644 ${UNPACKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ # Remove defaults that are not used when supporting PAM. - sed -i -f ${WORKDIR}/login_defs_pam.sed ${D}${sysconfdir}/login.defs + sed -i -f ${UNPACKDIR}/login_defs_pam.sed ${D}${sysconfdir}/login.defs fi - install -d ${D}${sbindir} ${D}${base_sbindir} ${D}${base_bindir} + install -d ${D}${sbindir} ${D}${base_sbindir} ${D}${base_bindir} # Move binaries to the locations we want rm ${D}${sbindir}/vigr @@ -152,10 +144,40 @@ do_install_append() { # Handle link properly after rename, otherwise missing files would # lead rpm failed dependencies. ln -sf newgrp.${BPN} ${D}${bindir}/sg + + # usermod requires the subuid/subgid files to be in place before being + # able to use the -v/-V flags otherwise it fails: + # usermod: /etc/subuid does not exist, you cannot use the flags -v or -V + install -d ${D}${sysconfdir} + touch ${D}${sysconfdir}/subuid + touch ${D}${sysconfdir}/subgid +} + +# Make executables look for dynamically linked libraries in a custom location, and install +# the needed libraries there. That way we can use them from sstate +# in setscene tasks without worrying about the dependency libraries being available. +do_install:append:class-native() { + binaries=$(find ${D}${base_bindir}/ ${D}${base_sbindir}/ ${D}${bindir}/ ${D}${sbindir}/ -executable -type f) + chrpath -k -r ${STAGING_DIR_NATIVE}/lib-shadow-deps $binaries + mkdir -p ${D}${STAGING_DIR_NATIVE}/lib-shadow-deps/ + libattr=${@bb.utils.contains('DISTRO_FEATURES', 'xattr', "${STAGING_LIBDIR_NATIVE}/libattr.so.*", '', d)} + install $libattr ${STAGING_LIBDIR_NATIVE}/libbsd.so.* ${STAGING_LIBDIR_NATIVE}/libmd.so.* ${D}${STAGING_DIR_NATIVE}/lib-shadow-deps/ + install ${D}${libdir}/*.so.* ${D}${STAGING_DIR_NATIVE}/lib-shadow-deps/ +} + +SYSROOT_DIRS:append:class-native = " ${STAGING_DIR_NATIVE}/lib-shadow-deps/" +INSANE_SKIP:${PN}:class-native = "already-stripped" + +do_install:append:class-nativesdk() { + oe_runmake -C ${B}/man DESTDIR="${D}" sbindir="${base_sbindir}" usbindir="${sbindir}" install-man +} + +do_install:append:class-target() { + oe_runmake -C ${B}/man DESTDIR="${D}" sbindir="${base_sbindir}" usbindir="${sbindir}" install-man } PACKAGES =+ "${PN}-base" -FILES_${PN}-base = "\ +FILES:${PN}-base = "\ ${base_bindir}/login.shadow \ ${base_bindir}/su.shadow \ ${bindir}/sg \ @@ -165,31 +187,30 @@ FILES_${PN}-base = "\ ${sysconfdir}/pam.d/su \ ${sysconfdir}/login.defs \ " -RDEPENDS_${PN} += "${PN}-base" +RDEPENDS:${PN} += "${PN}-base" inherit update-alternatives ALTERNATIVE_PRIORITY = "200" -ALTERNATIVE_${PN} = "passwd chfn chsh chpasswd vipw vigr nologin" +ALTERNATIVE:${PN} = "passwd chfn chsh chpasswd vipw vigr nologin" +ALTERNATIVE_LINK_NAME[chfn] = "${bindir}/chfn" +ALTERNATIVE_LINK_NAME[chsh] = "${bindir}/chsh" ALTERNATIVE_LINK_NAME[chpasswd] = "${sbindir}/chpasswd" ALTERNATIVE_LINK_NAME[vipw] = "${base_sbindir}/vipw" ALTERNATIVE_LINK_NAME[vigr] = "${base_sbindir}/vigr" ALTERNATIVE_LINK_NAME[nologin] = "${base_sbindir}/nologin" -ALTERNATIVE_${PN}-base = "newgrp groups login su" +ALTERNATIVE:${PN}-doc = "chfn.1 chsh.1" +ALTERNATIVE_LINK_NAME[chfn.1] = "${mandir}/man1/chfn.1" +ALTERNATIVE_LINK_NAME[chsh.1] = "${mandir}/man1/chsh.1" + +ALTERNATIVE:${PN}-base = "newgrp groups login su" ALTERNATIVE_LINK_NAME[login] = "${base_bindir}/login" ALTERNATIVE_LINK_NAME[su] = "${base_bindir}/su" -ALTERNATIVE_${PN}-doc = "passwd.5 getspnam.3 groups.1 su.1 nologin.8" -ALTERNATIVE_LINK_NAME[passwd.5] = "${mandir}/man5/passwd.5" -ALTERNATIVE_LINK_NAME[getspnam.3] = "${mandir}/man3/getspnam.3" -ALTERNATIVE_LINK_NAME[groups.1] = "${mandir}/man1/groups.1" -ALTERNATIVE_LINK_NAME[su.1] = "${mandir}/man1/su.1" -ALTERNATIVE_LINK_NAME[nologin.8] = "${mandir}/man8/nologin.8" - PACKAGE_WRITE_DEPS += "shadow-native" -pkg_postinst_${PN}_class-target () { +pkg_postinst:${PN}:class-target () { if [ "x$D" != "x" ]; then rootarg="--root $D" else diff --git a/meta/recipes-extended/shadow/shadow_4.15.0.bb b/meta/recipes-extended/shadow/shadow_4.15.0.bb new file mode 100644 index 0000000000..e57676c1da --- /dev/null +++ b/meta/recipes-extended/shadow/shadow_4.15.0.bb @@ -0,0 +1,10 @@ +require shadow.inc + +# Build falsely assumes that if --enable-libpam is set, we don't need to link against +# libcrypt. This breaks chsh. +BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '-lcrypt', '', d)}" + +BBCLASSEXTEND = "native nativesdk" + +# https://bugzilla.redhat.com/show_bug.cgi?id=884658 +CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix." diff --git a/meta/recipes-extended/shadow/shadow_4.6.bb b/meta/recipes-extended/shadow/shadow_4.6.bb deleted file mode 100644 index c975395ff8..0000000000 --- a/meta/recipes-extended/shadow/shadow_4.6.bb +++ /dev/null @@ -1,10 +0,0 @@ -require shadow.inc - -# Build falsely assumes that if --enable-libpam is set, we don't need to link against -# libcrypt. This breaks chsh. -BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '-lcrypt', '', d)}" - -BBCLASSEXTEND = "native nativesdk" - - - |